So, this morning, I got an interesting call from a client. They have a drive letter that they just dump everything in, most folders have wide open permissions, gigs and gigs of documents going back to the 90's. (yes, I know what a bad idea this is... )

So, this morning, I got an interesting call:
Basically, every single Microsoft Office file .doc or .docx or .xls file on this share is corrupt. Based on the description of the problem, I first thought it was an issue with Word. But it wasn't just one computer, every computer had the same problem. I decided to download a few documents to my machine that has a much newer copy of Office on it. Still just a bunch of gibberish. Now, normally if you open a word doc in notepad, it'll be a lot of gibberish, but there will be some human readable text too, these had absolutely nothing readable. It almost looked like it was encrypted.

PDF Files are fine, JPG's are fine. It's only word and excel documents. The timestamps on the documents haven't changed. The sizes all look right.

Has anyone seen this before? Is this some kind of ransom-ware crypto? I think thats what this might be, but most of the ransomware I've seen makes it pretty obvious you are being extorted and leaves notes.

It's interesting to note, other shares on the same server on the same volume did not seem to be affected.

I did a partial restore of the most important documents they need for today. (Which was still many gigs that took a while to restore) put it back in the same network drive, and everything is fine.

I've seen this happen after a bad anti-virus update. I believe it corrupted and MS Office component causing the issue. Once we reverted back to a previous update, the problem was ok. I suggest you try to open a document from a system that is not in the network to see if it is indeed corrupted. You email yourself a file and open it on a different computer. Beware that the file might contain a macro virus and can mess up your computer!

1st Post

Same issue 2008SBS server, "all" the folders, and files EXCEL, WORD, are corrupt. I use Barracuda back up server, however I don't think restoring from there is going to fix the issue. I also have Trend Micro. Anyone have a idea how I can revover these files? There are literally 1000s.

Well, actually, the funny thing was, ransomware was my first instinct when this incident occurred. I just restored from backup, and everything seemed fine for the rest of the day, 10 minutes after posting this I get a call that they couldn't access anything again, then I KNEW.
After an informal forensic investigation, I found the timestamp on the offending .exe file was around ~8:00AM Sunday (Sept 8th) morning.

However, the scarry thing is, after looking at the detections in virus total, and researching them on the major AV vendors pages. McAfee claims this variant was first discovered on the 10th, Microsoft Claims the 10th, Symantec claims the 11th, Avira had a VDF for it on the 10th, Sophos claimed to have seen it on the 8th, but says "Protection available since: 10 Sep 2013".

So... assuming this timestamp is correct, it seems like this particular piece of malware had managed to spread in the wild for 2 or more days before picked up by the major AV vendors.

(I this particular case, there were many cut corners including expired AV software, so I don't know if the heuristics or behavioral analysis of the AV software would have managed to stop it)

Thank you for this posting, it helped us a great deal yesterday when over 20,000 files got corrupted/encrypted on our file server. The only option we had was to restore all the files. We are back in business. Trend Micro did not seem to detect it.

1st Post

Steve did you guys find a way to "uncorrupt" the files? The same thing just happened to our office. Nothing was downloaded out of the ordinary that we can see just "fileshredder" and "avast" from download.com. It appears that every single word, excel, powerpoint and pdf is now corrupt and will not open. In excel the message is that the file does not match the extension and it might be corrupt. Tried AVG, TrendMicro, Avast nothing was found - apart from Emsisoft found "Win32.urausy". However, the emsisoft Decrypter found nothing and was not able to decrypt the files - maybe its some kind of variant. No pop ups or demands came up?

If this is the same root as CryptoLocker, you will need to restore from backup or Shadow copies. Curious, check your AV logs and see if it caught part of the infection. Do you have anyone bringing laptops from home?

1st Post

We just got hit with this today as well, took out terabytes of data on a file share that the infected user had access to. Our Norton AV logs did identify the user and caught an .exe in his app data folder but not before the damage was done. Running a restore as we speak, but would love it if someone dd find a way to decrypt these.

1st Post

I had a client that lost about 40,000 files. We recovered most of them using a Volume Shadow restore. The rest will have to come from an older backup (files were corrupted for awhile before it was discovered, because it's in a group of mostly old, archived data). As far as I can tell, the files aren't "fixable". Only recoverable with VSS or a good-old restore from backup.